Channels

Services

RSA hack could endanger the security of SecurID tokens

RSA, one of the leading global manufacturers of cryptographic solutions, has apparently fallen prey to an attack in which data was stolen from its servers. According to a press release from RSA's CEO, Art Coviello, to RSA customers, part of the data included information about SecurIDproducts, which could endanger their security.

SecurID is one of the oldest systems for two-factor authentication for safe logins on computers; most people are familiar with it as a hardware token that generates a one-time password (OTP) every 60 seconds. Worldwide, 40 million tokens are reportedly used by companies in addition to an estimated 250 million software versions on mobile devices, etc.

Some of RSA's SecurID tokens, also known as hardware authenticators.
Source: RSA.com
Coviello says the data stolen reduces the "effectiveness of a current two-factor authentication implementation", which the unknown parties could exploit in future attacks. He does not, however, say exactly which data has been lost. There are speculations that the SecurID source code or even the "seeds" may have been copied. The source code would allow the algorithm that generates OTPs to be identified; furthermore, the attackers could use the source code to look for security holes in RSA software. All of the OTPs ever generated by a token can be derived from the seeds.

Attackers who have the algorithm and the seeds could probably calculate all OTPs. To log into SecurID systems, however, you need a password in addition to the OTP. RSA says it is currently telling customers how to increase the security of their SecurID systems. In an official report to the US Securities and Exchange Commission (SEC), RSA – a subsidiary of EMC – lists a number of recommendations. New tokens are not mentioned.

The attack on RSA's servers was apparently a well coordinated heist. Current insights suggest that it was an "Advanced Persistent Threat" (APT). The term is generally used in the context of industrial espionage from abroad; one such recent case concerned Google last year.